Information from one scan carries over to the next. This includes:

  • Reviewed State

  • Comments

  • Detection Date

  • Severity Level

  • Issue Submission Date

  • Suppressions

Risks and Suppressions

Changing a proposed risk of an individual vulnerability or entire vulnerability type/group on a scan level is done by clicking on the pen icon next to the Risk label.

This prompts a dropdown menu with a choice of changing the risk for an individual vulnerability or all vulnerabilities in the group of that type.

The change will be applied only on the current scan level. Changing the default proposed risks of vulnerability types can be done on a configuration file level, by editing engine JSON configuration files located in the Mend SAST® installation directory under ./engines/config/.

Suppressing an individual vulnerability or entire vulnerability type/group, for reasons such as false positives, accepted risks and other, can be done by clicking on the flag icon either in the tree view menu or in the details header of a vulnerability. Suppressions will prompt for an optional comment that will be displayed in the details of a vulnerability.

Once a vulnerability is suppressed, Mend SAST® will store its signature in the database and it will be able to recognize it in future scans over the same source code base and optionally ignore it by selecting the Ignore Stored Suppressions option in the scan configuration.

Issue Submission

Issues for individual vulnerabilities can be submitted to supported issue tracking systems (currently Atlassian Jira and Azure DevOps work items). To submit an issue, click on the ticket icon in the vulnerability details header. If the credentials for the integrations have already been configured, Mend SAST® will automatically fetch the list of available projects, issue types and assignable users. Optional comments can be supplied to a submitted issue.

Submitted issues will contain the individual vulnerability details such as summary of the data flow with all the relevant code lines and files and mitigation recommendations.

Scan Visibility

Default group visibility of a scan is set to the groups of the scan creator. The visibility can be changed by clicking on the ... option expansion next to the Create Report button.

Parent application of a scan can be set in the same dropdown menu.



Copyright © 2024 (White Source Ltd.) | All rights reserved.